Keycard for AI agent security: what it changes for IAM

At a glance

What this is: This is an analysis of Keycard's agent identity model, which replaces static secrets with ephemeral, task-scoped credentials for AI agents.

Why it matters: It matters because IAM, NHI, and emerging agent governance programmes all have to decide whether runtime access should be bound to tasks, users, and revocation rather than to long-lived credentials.

By the numbers:

• Keycard emerged from stealth in October 2025 with $38 million in funding.
• AI agents are already acting beyond their intended scope in 80% of current deployments, according to SailPoint research.
• 17 minutes.

👉 Read WorkOS's analysis of Keycard for AI agent security

Context

AI agent identity security is the problem of proving what an agent is allowed to do, for which task, and for how long. Traditional IAM was designed around people, sessions, and durable entitlements, so it struggles when software actors can initiate actions at runtime, chain tools, and consume access in bursts that do not map neatly to human review cycles.

The practical gap is not authentication alone. Once agents start acting on behalf of users across APIs and services, the governance question becomes whether credentials are task-bound, revocable, and auditable enough to support enterprise control, especially in environments that already rely on service accounts, secrets, and delegated access paths.

Key questions

Q: How should security teams govern AI agent credentials in production?

A: Security teams should govern AI agent credentials as short-lived, task-scoped access artifacts, not as reusable secrets. That means binding each credential to a specific user authorisation, resource set, and expiry condition, then enforcing revocation at shared control points. The goal is to reduce blast radius and preserve auditability when agents act across services.

Q: Why do AI agents complicate zero-trust access models?

A: AI agents complicate zero-trust because the actor can initiate actions, choose tools, and consume access dynamically at runtime. That breaks assumptions built around stable users, predictable sessions, and reviewable standing privilege. Zero trust still applies, but the trust boundary has to move from the agent itself to the token, context, and enforcement point.

Q: What do teams get wrong about agent identity and secret rotation?

A: Teams often focus on rotating secrets faster, when the deeper issue is whether the secret should exist as a durable credential at all. If an agent can reuse access across tasks, rotation only narrows the exposure window. The better test is whether the credential is bound tightly enough that reuse is impossible outside the approved task.

Q: Should organisations place AI agents in the same governance model as service accounts?

A: Yes, but not identically. AI agents belong in the non-human identity model, yet they need additional controls for delegation, runtime context, and revocation because their behaviour is more variable than a conventional service account. Organisations should manage them under the same governance umbrella while applying stricter task-level boundaries.

Technical breakdown

Ephemeral agent credentials and task-scoped access

Agent-native identity models replace long-lived API keys with short-lived credentials bound to a single task or interaction. The point is not just shorter lifetime. It is binding the token to user intent, resource ownership, and the specific action context so the credential cannot be reused as a general-purpose secret. That shifts the security model from static entitlement to narrow runtime authorization. It also reduces the blast radius when an agent is compromised or misused, because the token should expire with the task rather than persist across sessions.

Practical implication: treat agent credentials as task artifacts, not reusable secrets, and require expiration semantics that match the work being performed.

Cryptographic delegation chains for AI agent identity

Cryptographic delegation chains preserve evidence of who authorised an agent, what it was allowed to touch, and how that access was issued. This matters because agent behaviour often spans multiple systems and identity providers, making traditional log review too thin for accountability. If every step of the delegation path is encoded in the token or associated proof, downstream services can verify access without relying on a separate human memory of approval. That creates stronger auditability, but only if the identity path remains intact across federation boundaries and service hops.

Practical implication: require delegation evidence that survives federation, so downstream controls can verify the user-to-agent relationship without manual reconstruction.

Edge enforcement for AI agent access control

Edge-based enforcement means policy decisions happen outside the agent itself, at the network or service boundary, rather than inside application code. This reduces attack surface because the agent does not need embedded auth logic and cannot silently bypass local checks. It also makes runtime policy evaluation more consistent across hybrid environments, where agents may call cloud, on-premises, and SaaS targets. The tradeoff is operational discipline: every enforcement point must understand the same token semantics, context signals, and revocation rules or control will fragment.

Practical implication: move enforcement to shared control points and test whether every downstream service honours the same agent token and revocation rules.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Static-secret governance is no longer a safe baseline for AI agents: long-lived credentials were designed for actors whose access changes slowly and is reviewed on human time. That assumption fails when agents are spawned at scale, consume access in bursts, and can complete useful work before a review cycle even begins. The implication is that identity governance must stop treating agent access as a durable entitlement problem and start treating it as a runtime delegation problem.

Task-scoped authorization is the right named concept for this category: the core control issue is not whether an agent has a login, but whether its access is bound tightly enough to a specific purpose, user, and resource set. Broad permissions create an identity blast radius that grows with every additional tool and downstream service. Practitioners should read this as a sign that agent identity belongs in the same control conversation as NHI governance, not as a separate AI-only exception.

Agent identity and NHI governance now overlap in the same control plane: AI agents are NHIs, but their runtime behaviour makes them more difficult to govern than conventional service accounts. That creates pressure on existing NHI programmes to account for delegation, revocation, and auditability in ways static workload identity models never had to handle. The practical conclusion is that teams cannot separate agent governance from broader non-human identity lifecycle control.

Lifecycle controls built for persistent access do not fully describe agent risk: recertification, offboarding, and privilege review were designed for identities that keep access long enough to be seen. Ephemeral agents can create access and destroy it within a session, which means the control objective shifts from reviewing standing privilege to proving that access was never broader than the task required. The implication is that governance evidence must move closer to issuance time.

Edge enforcement exposes the real failure mode in agent security programmes: the problem is not only where policy lives, but whether downstream systems can enforce the same decision consistently without trusting the agent’s own behaviour. If the agent can route around policy or if services interpret context differently, the delegation chain becomes the weak point. Practitioners should therefore treat runtime consistency as a control requirement, not an implementation detail.

From our research:

• AI agents are already acting beyond their intended scope in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 44% of organisations have implemented policies to govern AI agents, even though 92% agree governance is critical to enterprise security.
• For a broader control view, see OWASP Agentic AI Top 10 for the agent goal hijacking and tool misuse risks practitioners should model next.

What this signals

Task-bound identity is becoming the dividing line between pilot-scale and production-scale agent governance. Once agents start touching real business systems, the control question is no longer whether they authenticate but whether their access is narrow enough to survive audit, revocation, and incident review. Teams should expect pressure to align agent identity with the same non-human identity governance model used for service accounts, but with tighter runtime proof requirements.

Ephemeral credential trust debt: as more agents are provisioned quickly, organisations accumulate hidden assumptions about who owns the access, when it expires, and whether it can be revoked cleanly. That debt shows up when a workflow needs forensic reconstruction or when a delegated token outlives the business task it was meant to support. Practitioners should pair identity lifecycle controls with stronger runtime evidence, not just faster provisioning.

With only 52% of companies able to track and audit the data their AI agents access, the governance gap is already visible in compliance and breach response. That is why the next wave of IAM work will focus less on login mechanics and more on proving delegation, scope, and termination across every non-human actor.

For practitioners

• Define agent credentials as task-scoped artifacts Issue access only for a specific task, user, and resource set, and require automatic expiry at task completion so credentials cannot survive as reusable secrets.
• Audit every delegation path Track which human or system authorised each agent action, which identity provider issued the token, and which downstream service accepted it so you can reconstruct the delegation chain without guesswork.
• Move authorization checks to shared enforcement points Validate agent tokens at network or service boundaries rather than inside agent code, and verify that revocation is enforced consistently across cloud, on-premises, and SaaS targets.
• Separate agent governance from standing privilege reviews Update lifecycle processes so review evidence focuses on issuance context, task scope, and revocation timing instead of relying on quarterly recertification of persistent access.
• Map AI agents into the NHI register Classify agents alongside service accounts, tokens, and other non-human identities so ownership, exception handling, and offboarding are covered by the same governance workflow.

Key takeaways

• AI agent identity cannot be governed safely with human-centric IAM assumptions, because runtime delegation and bursty access patterns break static privilege models.
• The evidence points to a control gap, not just a technology gap, with most current deployments already exceeding intended scope and many organisations unable to audit agent access.
• Practitioners should shift from durable-secret management to task-scoped, revocable, and fully traceable agent identity governance.

Key terms

• Task-scoped credential: A task-scoped credential is an access token issued for one defined job, user, or workflow step. It should expire when the task ends and should not function as a reusable general secret. In agent environments, this reduces blast radius and makes authorization evidence easier to audit.
• Delegation chain: A delegation chain is the traceable path showing who authorised an identity to act, what scope was granted, and how that access propagated to downstream systems. For agents, the chain must remain machine-verifiable so audit and incident review do not depend on memory or manual reconstruction.
• Edge enforcement: Edge enforcement is the practice of checking identity and policy at the network or service boundary instead of inside the workload itself. In agent governance, it keeps access control outside the agent’s execution path and makes revocation more consistent across distributed systems.
• Identity blast radius: Identity blast radius is the amount of damage an identity can cause if it is misused, compromised, or over-privileged. For AI agents, the blast radius grows quickly when credentials are broad, reusable, or poorly scoped to the task the agent is performing.

Deepen your knowledge

AI agent identity governance and task-scoped credential design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous workloads or delegated agent access, it is worth exploring.

This post draws on content published by WorkOS: Keycard for AI Agent Security: Features, Pricing, and Alternatives. Read the original.